a formal framework for quantifying voter-controlled privacy

J. Algorithms 64 (2009) 89–105

Contents lists available at ScienceDirect

Journal of AlgorithmsCognition, Informatics and Logic

www.elsevier.com/locate/jalgor

A formal framework for quantifying voter-controlled privacy ✩,✩✩

Hugo Jonker ∗, Sjouke Mauw, Jun Pang

University of Luxembourg, Faculty of Sciences, Technology and Communication, 6, rue Richard Coudenhove-Kalergi, L-1359, Luxembourg

a r t i c l e i n f o a b s t r a c t

Article history:Received 1 January 2009Available online 17 March 2009

Keywords:Formal methodsPrivacy and securityVoting protocols

Privacy is a necessary requirement for voting. Without privacy, voters can be forced to votein specific ways, and the forcing party can check their compliance. But offering privacydoes not suffice: if a voter can reduce her privacy, an attacker can force her to do so. Inthis paper, we distinguish various ways that a voter can communicate with the intruderto reduce her privacy and classify them according to their ability to reduce the privacy ofa voter. We develop a framework combining knowledge reasoning and trace equivalencesto formally model voting protocols and define voter-controlled privacy. Our framework isquantitative, in the sense that it defines a measure for the privacy of a voter. Therefore, theframework can precisely measure the level of privacy for a voter for each of the identifiedprivacy-reduction classes. The quantification allows our framework to capture receipts thatreduce, but not nullify, the privacy of the voter.

© 2009 Elsevier Inc. All rights reserved.

1. Introduction

With the growth and commercialisation of the Internet, people become more and more concerned about their privacyin the digital world. Privacy has been a fundamental property for systems which provide users e-services, ranging fromelectronic voting to on-line auctions to health-care.

In voting, vote privacy is the property that an outside observer cannot determine how a voter voted. Although this seemssufficient to ensure privacy, Benaloh and Tuinstra [1] introduce receipt-freeness, which expresses that a voter cannot gainany information to prove to an intruder (someone trying to force the voter to cast a specific vote) that she voted in a certainway. Receipt-freeness aims to prevent vote buying, even when a voter chooses to renounce her privacy. Another strongernotion of privacy is coercion-resistance [2], stating that a voter cannot cooperate with the intruder to prove how she voted.Coercion-resistance also has received considerable attention. These strong notions of privacy actually capture the essentialidea that privacy must be enforced by a voting system upon its users, instead offering it.

In the literature, many research efforts have been devoted to ensure privacy properties for (electronic) voting. Severalschemes claiming to be receipt-free (e.g. [1,3,4]) have been proposed and were later shown to have receipts [5–7]. Resolvingthis kind of situation underlines the need for formal methods, which are mathematically based techniques to specify andverify systems. Several formalisations of privacy properties in voting have been proposed. Delaune, Kremer and Ryan [8,9]develop their formalisation based on observational equivalences of processes in the applied pi calculus, whereas we believeprivacy requirements should explicitly model the intruder’s knowledge. Based on his knowledge, the intruder can distinguishdifferent traces. Moreover, the privacy of a voter in a voting system also depends on how much knowledge (and when) thevoter shares with the intruder. In [10], the tool ProVerif is extended to check some (not all) equivalences of [8,9]. Recently,

✩ This work was partially supported by a grant of the National Research Fund of Luxembourg.✩✩ A preliminary version of this work has appeared in the ARES’09 IEEE proceedings.

* Corresponding author.E-mail addresses: [email protected] (H. Jonker), [email protected] (S. Mauw), [email protected] (J. Pang).

0196-6774/$ – see front matter © 2009 Elsevier Inc. All rights reserved.doi:10.1016/j.jalgor.2009.02.007

http://www.ScienceDirect.com/

http://www.elsevier.com/locate/jalgor

mailto:[email protected]



http://dx.doi.org/10.1016/j.jalgor.2009.02.007

90 H. Jonker et al. / J. Algorithms 64 (2009) 89–105

automatic verification techniques within the applied pi calculus framework have been proposed by Backes, Hritcu andMaffei [11]. Their approach has its focus on remote electronic voting protocols, and mainly deals with coercion-resistance.The constructive approach of Jonker and De Vink [12] is a logical characterisation of receipt-freeness, but this work is ina less mature state and thus currently only leads itself to high-level analysis. Baskar, Ramanujam and Suresh [13] define alanguage to specify voting protocols and use an epistemic logic to reason about receipt-freeness. Although it is relativelyeasy to express privacy properties based on logic of knowledge, it is rather difficult to develop verification techniques withinsuch a logical framework. All the aforementioned approaches only offer qualitative methods to analyse whether a votingprotocol satisfies some privacy property, instead of offering methods to quantify privacy. However, a qualitative approachleaves several possibilities for an intruder to reduce voter privacy. Examples include forcing a voter not to vote for a certaincandidate, or determining at which end of the political spectrum was voted. We believe that computing the exact possiblechoices of a voter is the only way to detect such attacks. In our view, any privacy reductor is a receipt, not just those thatnullify privacy.

In this paper we consider the possibilities for a voter to reduce her privacy, which we call voter-controlled privacy. Thevoter can subjectively provide the intruder information, to prove that she has voted in a certain way in order to sell hervote. The intruder tries to find out whether the voter did vote as she said, based on his knowledge gained by observingthe election and/or communicating with the voter. The privacy of any voting system largely depends on the possibilitiesafforded to the intruder to communicate with a voter. Voting literature [4,5,14–16] uses the following types of information-hiding techniques to ensure privacy: mixnets [16], blind signatures [14], homomorphic encryption [5]. Furthermore, privateuntappable one-way channels (voter to authority or authority to voter) or two-way channels are often assumed [4,5,15].The ability to break privacy relies on the information acquired by the intruder. Such channels provide a means to keepinformation from the intruder and thus help privacy. However, information can be forwarded to the intruder by the voter.And vice versa, a voter could use information supplied by the intruder (which then serves as a witness). These observationslead us to distinguish various independent ways that a voter can communicate with the intruder to rescind her privacyand classify them according to their ability to reduce the privacy of a voter. These classes are ordered according to privacy-reducing ability. The goal of this paper is to provide a method for quantifying privacy of voters within this ordering.

As made clear by Benaloh and Tuinstra [1], voter privacy depends on which knowledge the voter shares with the intruder,and at what time during the protocol this knowledge is shared. (This is captured by the ordering of the conspiracy classesin our paper.) Therefore, we develop a framework combining knowledge reasoning along the lines of [12,13] and traceequivalences of [8,9] to formally model voting protocols and define vote privacy for the voters. This enables us to describethe knowledge of the intruder, as well as of other entities in a voting protocol, at any point during execution of thesystem. To distinguish execution traces with respect to the current knowledge of the intruder, we adapt the reinterpretationfunction proposed by Garcia et al. [17]. The framework is quantitative, in the sense that it precisely measures privacy forany voter conspiring like one of the conspiracy classes. This is achieved by establishing per-voter choice groups, which takedifferent communication mechanisms between voters and the intruder into account, along the lines of anonymity groupsas introduced by Mauw, Verschuren and De Vink [18] and Chothia et al. [19]. Thus, the framework captures attacks whichreduce, but not nullify, privacy. Such attacks have not been identified and dealt with in other formal approaches.

Contribution. Our contribution in this paper is twofold. First, we introduce a new formal framework combining knowledgereasoning and trace equivalences to model and reason about voting protocols. Second, we provide a quantitative definitionof voter-controlled privacy. It allows for detection of subtle privacy attacks on voters. The different cooperation modes of avoter and the intruder are captured by conspiracy ordering.

Outline. The rest of this paper is organised as follows. In Section 2, we define the setting of our framework. In Section 3,a formal framework to model voting systems and its operational semantics is presented, which is followed by a quantitativedefinition of privacy in voting in Section 4, based on knowledge reasoning and trace equivalences. In Section 5, we classifyhow a voter can cooperate with the intruder and in Section 6, we formally define how to measure privacy for these classesof conspiring behaviour. We illustrate our framework by two examples in Section 7 and discuss the power of our frameworkby identifying some new attacks which can only be detected by a quantitative approach in Section 8. Finally, Section 9concludes the paper and lists some future works.

2. Setting

This paper restricts itself to studying privacy of a voting system at the protocol level. The setting for our approach is asfollows.

2.1. Election type

We call the type of elections studied in this paper 1v1v (short for “one voter, one vote”). 1v1v elections have thefollowing properties:

• There is a set of voters V , a set of candidates C , and a set of voting authorities Aut. We denote the set of all agents asAgents = V ∪ Aut.

H. Jonker et al. / J. Algorithms 64 (2009) 89–105 91

• Each voter v ∈ V is entitled to cast one vote for one candidate c ∈ C .• A public-key infrastructure for the public key pk(a) and private keys sk(a) of agent a ∈ Agents.• All votes have equal weight.• The set of received ballots precisely determines the election result, and is published after the elections.• The candidate preferred by a voter is independent of the voting system, which implies that the voter’s choice can be

given a priori.

Voting systems often distinguish between various phases, such as a registration phase, a voting phase and a counting phase.The below framework expresses phases as a synchronisation of parties.

2.2. Primitives

The following cryptographic and communication primitives are used in the framework.

• Nonces are freshly generated random values.• Encryption of a plain text φ with key k is denoted as {φ}k . The resulting cipher text can be decrypted using the inverse

key k−1. We distinguish symmetric encryption, where k−1 = k and asymmetric encryption such as public key encryption,where k = pk(a) (or sk(a)) and k−1 = sk(a) (or pk(a)), for some agent a.

• Public channels are communication channels that reveal everything about communication: sender, intended receiver andmessage.

• Anonymous channels are communication channels that hide the sender of a message. Other than that, anonymous chan-nels reveal intended receiver and message.

• Untappable channels are communication channels that are completely private. Only the sender and receiver learn thecommunicated message, and only they are aware that a communication occurred at all. Untappable channels can beeither directed (i.e. a one-way communication channel) or bi-directional (i.e. a two-way communication channel). Sec-tion 5 discusses the consequences of untappable channels further.

2.3. The intruder model

We consider a standard Dolev–Yao intruder [20] throughout the paper. This intruder model can be characterised asfollows:

• perfect cryptography assumption: no encrypted message can be opened without the decryption key;• network control:

– all messages sent on public and on anonymous channels are received by the intruder;– agents can only receive messages from the intruder.Thus, the intruder can block or modify any message communicated over a public or anonymous channel as he sees fit.Note that untappable channels are not under intruder control.

3. A framework for modelling voting systems

In this section, we develop a formal syntax and provide semantics for expressing the communication behaviour of votingsystems in terms of agents. We first specify syntax and derivation of terms. This is followed by the syntax of communicationevents, and the syntax of processes (which specify the order in which an agent executes events). Together, this enables usto syntactically express voting systems. Next, semantics is given at two levels: the level of individual agents, and the levelof the voting system as a whole.

As a consequence of the assumption that the way voters vote is independent of the election process, the relation betweenvoters and their chosen candidates can be given a priori. This is captured by the relation γ : V → C , which specifies for eachvoter v ∈ V which candidate γ (v) ∈ C she votes for. To deconstruct tuples, we use projection functions πi, i > 0 whichreturn the ith component of a tuple.

3.1. Syntax of the framework

We first define the syntax of terms, which is followed by the syntax of agents. Next, the syntactical representation of avoting system is defined as a function associating a state with each agent.

3.1.1. TermsThe terms communicated in a voting system are built up from variables from the set Vars, candidates from the set C ,

random numbers from the set Nonces, and cryptographic keys from the set Keys. The set of keys of a particular agent a isgiven by Keysa . These basic terms can be composed through pairing ((φ1, φ2)) and encryption ({φ}k).


Table 1Example: matching and substitution of terms.

φ σ match({n}pk(a), φ,σ )

var var �→ {n}pk(a) true{var}pk(a) var �→ n true{n}pk(a) ∅ true{n′}pk(a) any false

{n}k any false

Definition 1 (Terms). Let Vars be a set of variables, containing at least the variable vc, let Agents be a set of agents, let C bea set of candidates, let Nonces be a set of nonces, and let Keys be a set of keys, ranged over by var,a, c,n and k, respectively.The class Terms of terms, ranged over by φ, is given by the BNF

φ ::= var | a | c | n | k | (φ1, φ2) | {φ}k.

Syntactical equivalence of terms φ1, φ2 is denoted as φ1 = φ2. A term is called open if it contains variables and closed if itcontains no variables. The set of variables of an open term φ is given by fv(φ).

Terms encrypted with k can be decrypted using the inverse key k−1. For symmetric encryption, k−1 = k, whereas inasymmetric encryption, pk(a) denotes the public key and sk(a) the corresponding secret key of agent a. Signing is denotedas encryption with the secret key.

Example (Terms). The encryption of a nonce n with the public key of agent a is denoted as {n}pk(a) . A pair of this encryptednonce with itself, unencrypted, results in the term ({n}pk(a),n). Note that (({n}pk(a),n),n) = ({n}pk(a), (n,n)), as the terms aresyntactically different.

Variables represent unspecified terms, such as a voter’s choice. The voter’s choice is represented by the variable vc untilinstantiated.

Definition 2 (Term substitution). We introduce a variable mapping relation �→, of type Vars → Terms. The substitution of asingle variable var by term φ is denoted as var �→ φ. Application of substitution σ to term φ is denoted as σ(φ). The domainof substitution σ , notation dom(σ ), is the set of variables for which σ specifies a substitution. The range of a substitution σ ,notation rng(σ ), is defined as {σ(var) | var ∈ dom(σ )}. The composition of two substitutions σ ′ after σ is denoted by σ ′ ◦ σ .The empty substitution is denoted as ∅.

Agents communicating terms can expect to receive a term with a certain structure, for example, a term encrypted withthe agent’s public key ({φ}pk(a)). This is expressed by specifying an open term for the receiving agent (such as {var}pk(a)),that serves as a template for the expected term.

Definition 3 (Term matching). A closed term φ1 matches a term φ2, if there is a substitution σ , such that dom(σ ) = fv(φ2)

and σ(φ2) = φ1. We denote this as

match(φ1, φ2, σ ) ≡ σ(φ2) = φ1 ∧ dom(σ ) = fv(φ2).

Lemma 1 (Unique substitution). Given a closed term φ1 and a term φ2 , there is at most one substitution σ such that match(φ1, φ2, σ ).

Proof (Proof by contradiction). Suppose that for two terms φ1, φ2 there exist σ1, σ2 such that:

• match(φ1, φ2, σ1) and match(φ1, φ2, σ2) both hold, while• σ1 = σ2, σ1(φ2) = σ2(φ2) = φ1, and dom(σ1) = dom(σ2) = fv(φ2).

As dom(σ1) = dom(σ2) and σ1 = σ2, we have rng(σ1) = rng(σ2). Thus, there must be at least one variable var ∈ dom(σ1)

such that σ1(var) = σ2(var). But since dom(σ1) = fv(φ2), var ∈ fv(φ2). Thus σ1(φ2) = σ2(φ2), which is a contradiction. �Example (Variable matching and substitution). Consider the term of the previous example, {n}pk(a) . In Table 1, we comparethis term to several other terms to see if they match under the stated substitution. In Table 1, we assume that n = n′ andpk(a) = k.


A term φ may be derived from a set of terms K (notation K φ) if it is an element of K or if it can be derived byrepeated application of the following rules:

(pairing) K φ1, K φ2 �⇒ K (φ1, φ2)

(left) K (φ1, φ2) �⇒ K φ1(right) K (φ1, φ2) �⇒ K φ2(encryption) K φ, K k �⇒ K {φ}k

(decryption) K {φ}k, K k−1 �⇒ K φ

For instance, the decryption rule enables an agent a to decrypt {n}pk(a) , as he posses the key sk(a). An agent’s knowledge isa set of terms closed under derivability. Closure of a set K under derivability is defined as K = {φ | K φ}.

Example (Derivability and knowledge). From a knowledge set K containing term n, we can derive the following terms: n,(n,n), ((n,n),n), (n, (n,n)), and so on. If K also contains a key k, we can additionally derive terms such as {n}k , (n, {n}k),(n,k), (k,n), . . . .

3.1.2. AgentsTerms are communicated between agents. Communication of a term is an event. We distinguish public, anonymous,

and untappable communication channels. Hence, there are distinct events for each type of channel. Furthermore, we notethat any election process inherently has multiple phases. As such, synchronisation between the election officials must beinherent in voting systems. For the framework to support this, we introduce a phase synchronisation event.

Definition 4 (Events). The class Ev of communication events, ranged over by ev, is given by:

Ev = {s(a,a′, φ), r(a,a′, φ),as(a,a′, φ),ar(a′, φ),us(a,a′, φ),ur(a,a′, φ),ph(i) | a,a′ ∈ Agents, φ ∈ Terms, i ∈ N

},

where s, r,as,ar,us,ur denote sending and receiving over public, anonymous and untappable channels, respectively. Finally,ph(i) is the event denoting that an agent is ready to execute phase transition i.

The subclass of send events is denoted as:

Evsnd = {s(a,a′, φ),as(,a′, φ),us(a,a′, φ) | a,a′ ∈ Agents, φ ∈ Terms

}.

Similarly, the subclass of receive events is denoted as:

Evrcv = {r(a,a′, φ),ar(a′, φ),ur(a,a′, φ) | a,a′ ∈ Agents, φ ∈ Terms

}.

The subclass of phase events is denoted as Evph = {ph(i) | i ∈ N}.

Variable substitution is extended straightforwardly to events, by replacing all substituted variables in the term of oneevent. This is denoted as σ(ev) for an event ev and a substitution σ . The function fv is similarly extended, by application tothe term of an event. The set of free variables of an event ev is thus given by fv(ev).

The behaviour of an agent is determined by the order in which events occur. This order is defined by the agent’s process,as follows.

Definition 5 (Processes). The class Processes of processes, ranged over by P , is defined as follows.

P ::= δ | ev.P | P1 + P2 | P1 � φ1 = φ2 � P2 | ev.X(φ1, . . . , φn).

Here, δ denotes a deadlock. A process can be preceded by an event (ev.P ). Furthermore, a process can be a choice betweentwo alternative processes, either a non-deterministic choice (P1 + P2) or a conditional choice (P1 � φ1 = φ2 � P2). If φ1is syntactically equal to φ2, the process behaves as P1; otherwise, the process behaves as P2. Finally, we have guardedrecursion of processes. We assume a class of process variables, which is ranged over by X . For every process variable X ,with arity n, there is a defining equation of the form X(var1, . . . , varn) = P , with the syntactic requirement that the freevariables of P (as defined below) are precisely var1, . . . , varn .

Example (Processes). The following are examples of processes.

δ

ph(1).δ

ph(2).δ � {φ}k = {φ′}k � ph(1).δ

ph(1).X(φ1, {φ2}k,n)

Without loss of generality, we assume a naming convention such that all free variables in the defining equation of aprocess variable have globally unique names. This limits the scope of such variables to that defining equation.


Substitutions are extended to processes. The substitution σ applied to process P is denoted as σ(P ) and is defined asfollows.

σ(P ) =

⎧⎪⎪⎪⎪⎪⎪⎪⎨⎪⎪⎪⎪⎪⎪⎪⎩

δ if P = δ

σ (ev).σ (P ′) if P = ev.P ′

σ(P1) + σ(P2) if P = P1 + P2

σ(P1) � σ(φ1) = σ(φ2) � σ(P2) if P = P1 � φ1 = φ2 � P2

σ(ev).Y (σ (φ2), . . . , σ (φn)) for fresh Y (var1, . . . , varn) = σ(P ′)if P = ev.X(φ1, . . . , φn) ∧ X(var1, . . . , varn) = P ′

Note that for guarded recursion (i.e. ev.X(φ1, . . . , φn)), the substitution σ is applied to the invoked process too (i.e. to P ,if X(var1, . . . , varn) = P ). This is done by introducing a new defining equation for a fresh process variable Y . The definingequation is of the form Y (var1, . . . , varn) = P ′ , where P ′ is the substitution σ applied to process P , so Y (var1, . . . , varn) =σ(P ).

The function fv is also extended to processes. Note that receiving a term binds the received variables, hence receiveactions reduce the number of free variables. Furthermore, remark that in guarded recursion all free variables of the definedprocess are bound by the invocation (due to the syntactic requirement). Thus, the only free variables of an invocation arethe free variables of the argument list.

fv(P ) =

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩

∅ if P = δ

fv(P ′) if P = ev.P ′ ∧ ev ∈ Evph

fv(P ′) ∪ fv(ev) if P = ev.P ′ ∧ ev ∈ Evsnd

fv(P ′) \ fv(ev) if P = ev.P ′ ∧ ev ∈ Evrcv

fv(P1) ∪ fv(P2) if P = P1 + P2fv(P1) ∪ fv(φ1) ∪ fv(φ2) ∪ fv(P2) if P = P1 � φ1 = φ2 � P2

fv(φ1) ∪ · · · ∪ fv(φn) if P = ev.X(φ1, . . . , φn) ∧ ev ∈ Evph

fv(φ1) ∪ · · · ∪ fv(φn) ∪ fv(ev) if P = ev.X(φ1, . . . , φn) ∧ ev ∈ Evsnd

fv(φ1) ∪ · · · ∪ fv(φn) \ fv(ev) if P = ev.X(φ1, . . . , φn) ∧ ev ∈ Evrcv

Variables used in a defining equation which do not appear in the argument list of the equation must be bound by theiroccurrence. This means that such variables may only occur in events which bind variables, i.e. events ∈ Evrcv .

An agent’s state is a combination of behaviour, i.e. the order in which events are executed (as determined by a process),and knowledge (a set of terms) as follows.

Definition 6 (Agent state). The state of an agent a is given by the agent’s knowledge knwa and its process Pa . Thus, agentstate st ∈ Agstate is a tuple of knowledge and a process:

Agstate = P (Terms) × Processes.

A voting system specifies, for each agent, its state. Hence, a voting system is a mapping from agent to states.

Definition 7 (Voting system). A voting system is a system that specifies a state for each agent a. The class of voting systems,VotSys, is defined as VotSys = Agents → Agstate. We denote the state assigned by voting system V S ∈ VotSys to agent a asV S(a) = (knwa, Pa). knwa is the knowledge of agent a, and Pa describes its behaviour.

A voting system V S ∈ VotSys may be instantiated with voter choices, as given by choice function γ : V → C . This instan-tiation is denoted as V S γ , which, for each voter, substitutes the voter choice variable vc by the choice specified by γ in herprocess, as follows.

V S γ (a) ={ V S(a) if a /∈ V

(π1(V S(a)),π2(σ (V S(a)))) if a ∈ V ∧ σ = vc �→ γ (a)

Recall that πi denotes an extraction function that extracts the ith component from a tuple.

Example (Voting system). In Table 2 we specify a voting system V S 0 with two voters v1, v2 and one authority T . In V S 0,voter v1 sends her signed vote, encrypted with T ’s public key, to counter T . Voter v2 does the same for her vote. Note thatthese votes are specified as vc, until instantiated by a choice function. The counter receives these votes in variables var1and var2, respectively. The initial knowledge of a voter consists of her private key and the public key of T . As there are novoter-to-voter interactions, we omit the public keys of other voters in the initial knowledge of a voter in this example. Inaddition to V S 0, we also show V S γ1

o , where γ1(v1) = c1 and γ1(v2) = c2.


Table 2Example of voting system V S 0 and V S γ1

0 (where γ1(v1) = c1 andγ1(v2) = c2).

V S 0(v1)= ({pk(T ), sk(v1)}, s(v1, T , {{vc}sk(v1)}pk(T )) . δ)

V S 0(v2)= ({pk(T ), sk(v2)}, s(v2, T , {{vc}sk(v2)}pk(T )) . δ)

V S 0(T )= ({pk(v1),pk(v2), sk(T )},r(v1, T , {{var1}sk(v1)}pk(T )) . r(v2, T , {{var2}sk(v2)}pk(T )) . δ)

V S γ10 (v1)= ({pk(T ), sk(v1)}, s(v1, T , {{c1}sk(v1)}pk(T )) . δ)

V S γ10 (v2)= ({pk(T ), sk(v2)}, s(v2, T , {{c2}sk(v2)}pk(T )) . δ)

V S γ10 (T )= V S 0(T )

3.2. Semantics of the framework

The operational semantics of a voting system is defined by a number of derivation rules of the form

p1 . . . pn

S e−→ S ′ .

This expresses that if the system is in state S and if the premises p1 to pn are satisfied, the system may perform event eand continue in state S ′ [21]. The operational semantics is defined in two layers. First, the semantics of individual agentsis defined. Next we define the semantics of a voting system based on the semantics of individual agents. The operationalsemantics of a voting system can be seen as the parallel composition of all agents.

3.2.1. Agent semanticsThe semantics of agents describes the effect of the events on the agent state. Recall that agent state is defined as a tuple

containing a knowledge set and a process: Agstate = P (Terms) × Processes.In our assumed intruder model, each tappable communication by an agent is a communication with the intruder. Hence,

the semantic rules below take the intruder’s knowledge into account. The states considered below thus consist of a tupleof intruder knowledge K I and agent state. In the rules below, events may involve a, x ∈ Agents, which we omit from thepremise of the rules.

There are some restrictions on the terms that may occur in an event. A term φ occurring in a send event must be closed(fv(φ) = ∅) at the moment of sending. A term occurring in a receive event can specify the structure of the term to bereceived. There is a limitation: a receiving agent a can only specify the structure up to the extent of his knowledge knwa .This is captured by the readable predicate Rd : P (Terms) × Terms (inspired by [22]).

Rd(knwa, φ) ≡

⎧⎪⎪⎪⎨⎪⎪⎪⎩

true if φ ∈ Varsknwa φ if φ ∈ C ∪ Nonces ∪ Keys ∪ Agentsknwa φ ∨ (knwa k−1 ∧ Rd(knwa, φ1)) if φ = {φ1}k(Rd(knwa, φ2) ∧ Rd(knwa ∪ {φ2}, φ1)) if φ = (φ1, φ2)

∨(Rd(knwa, φ1) ∧ Rd(knwa ∪ {φ1}, φ2))

An agent a may use term φ as a template for a receive event, when φ is either a variable or a constant term derivablefrom knwa . When φ is an encryption, it may be used as a template if the agent knows the inverse key, or if the agentknows the key and can read the encrypted message. For pairing, we take into account that either side of the pair maycontain information (e.g. a key) that is necessary to read the other side.

Example (Readability of terms). Below, we illustrate the readability function for several terms and knowledge sets (assumingsymmetric encryption).

φ knw Rd(knw, φ) φ knw Rd(knw, φ)

var ∅ true(n,k) ∅ false (n,k) {n,k} true{var}k ∅ false {var}k {k} true{n}k {n} false {n}k {n,k} true

(k, {var}k) ∅ false (k, {var}k) {k} true(var1, {var2}var1 ) ∅ true

public send. An agent may send a closed term φ if and only if the agent knows the term (note that variables do notcapture knowledge).

knwa φ fv(φ) = ∅(K I ,knwa, s(a, x, φ).P )

s(a,x,φ)−−−−−→ (K I ∪ {φ},knwa, P )


public receive. A receive event specifies an open, readable term φ. By receiving a matching term φ′ , the unassigned vari-ables in φ are assigned a value by the unique substitution σ such that match(φ′, φ,σ ).

K I φ′ fv(φ′) = ∅ match(φ′, φ,σ ) Rd(knwa, φ)

(K I ,knwa, r(x,a, φ).P )r(x,a,φ′)−−−−−→ (K I ,knwa ∪ {φ′}, σ (P ))

anonymous send. The anonymous send semantics follows directly from the above public send semantics by replacing thesend event s(x, y, φ) with event as(x, y, φ).

knwa φ fv(φ) = ∅(K I ,knwa,as(, x, φ).P )

as(,x,φ)−−−−−→ (K I ∪ {φ},knwa, P )

anonymous receive. An anonymous receive is largely equal to the public receive, except that the event omits informationabout the sender.

K I φ′ fv(φ′) = ∅ match(φ′, φ,σ ) Rd(knwa, φ)

(K I ,knwa, r(a, φ).P )ar(a,φ′)−−−−−→ (K I ,knwa ∪ {φ′}, σ (P ))

untappable send. An untappable send is a send event which happens outside intruder control or even intruder awareness.It thus limits the power of the intruder. Note that the intruder does not learn the communicated term for an untappablesend event.

knwa φ fv(φ) = ∅(K I ,knwa,us(a, x, φ).P )

us(a,x,φ)−−−−−−→ (K I ,knwa, P )

untappable receive. An untappable receive is the receiving dual of the untappable send. Thus, it occurs outside intrudercontrol or awareness, and represents a limit on the power of the intruder. Note that, at this level of the semantics, theorigin of the term φ′ is not specified. The origin of this term is specified at the system level, where untappable receive issynchronised with untappable send.

fv(φ′) = ∅ match(φ′, φ,σ ) Rd(knwa, φ)

(K I ,knwa,ur(x,a, φ).P )ur(x,a,φ′)−−−−−−→ (K I ,knwa ∪ {φ′}, σ (P ))

phase synchronisation. The events of the set Evph are intended to synchronise agents in the system. At the agent level,these events have little impact, as evidenced by the following operational semantic rule.

ev ∈ Evph

(K I ,knwa, ev.P )ev−−→ (K I ,knwa, P )

non-deterministic choice. An agent that can execute a non-deterministic choice may choose any of the alternatives, asfollows.

(K I ,knwa, P1)ev−−→ (K ′

I ,knw′a, P ′

1)

(K I ,knwa, P1 + P2)ev−−→ (K ′

I ,knw′a, P ′

1)


I ,knw′a, P ′

2)

(K I ,knwa, P1 + P2)ev−−→ (K ′

I ,knw′a, P ′

2)

conditional choice. A conditional choice is a choice between two processes, based upon syntactical comparison of twoterms. While these two terms may be open terms in the agent’s specification, upon execution, we require that these termsare closed.


I ,knw′a, P ′

1) fv(φ1) = ∅(K I ,knwa, P1 � φ1 = φ1 � P2)

ev−−→ (K ′I ,knw′

a, P ′1)


I ,knw′a, P ′

2) φ1 = φ2 fv(φ1) = fv(φ2) = ∅(K I ,knwa, P1 � φ1 = φ2 � P2)

ev−−→ (K ′I ,knw′

a, P ′2)

guarded recursion. An invocation of process variable X with argument list φ1, . . . , φn can be executed by agent a if thecorresponding process in the defining equation can execute, under the specified arguments.

(K I ,knwa, σ (P ))ev−−→ (K ′

I ,knw′a, P ′) X(var1, . . . , varn) = P σ = var1 �→ φ1 ◦ · · · ◦ varn �→ φn

(K I ,knwa, X(φ1, . . . , φn))ev−−→ (K ′

I ,knw′a, P ′)


3.2.2. System semanticsThe operational semantics of voting systems describe how the state of a voting system changes due to the interactions

of its agents. The state of a voting system is given by the intruder knowledge and the state of each agent.

Definition 8 (State of a voting system). The state of a voting system is a tuple of intruder knowledge and a mapping of agentsto agent states (recall that VotSys = Agents → Agstate), as follows.

State = P (Terms) × VotSys.

The knowledge and current process for each agent are given by VotSys. We denote the attribution of state (knwa, Pa) toagent a as a @ (knwa, Pa). The current state of agent a in system state (K I , S) is denoted as a @ (knwa, Pa) ∈ S . The initialstate of voting system V S with respect to choice function γ is (K 0

I , V S γ ), for initial intruder knowledge K 0I .

Typically, the initial intruder knowledge contains public keys of all agents, compromised keys etc.The operational semantics of voting systems in the context of a Dolev–Yao intruder (limited to public and anonymous

channels) is given below. The semantic rules give rise to a labelled transition system, with labels denoting the events.Untappable communication is modelled as synchronous communication, hence the us and ur events are replaced by ucevents (denoting untappable communication) in the set of labels Labels of the transition system:

Labels = {uc(a,a′, φ) | a,a′ ∈ Agents ∧ φ ∈ Terms

} ∪ Ev \ {ur(a,a′, φ),ur(a,a′, φ) | a,a′ ∈ Agents ∧ φ ∈ Terms

}.

Both untappable communications and phase synchronisation are synchronous events by more than one agent. The otherevents are executed without synchronising with other agents. We distinguish the non-synchronous events as Evnosync , whichis defined as follows.

Evnosync = {s(a,a′, φ), r(a,a′, φ),as(,a′, φ),ar(a′, φ) | a,a′ ∈ Agents, φ ∈ Terms

}.

The below system semantics uses the above agent semantics to define the dynamic behaviour of the system. The rulesbelow may involve agents a,b ∈ Agents, which we omit from the premises of the rules. Note that the premise of the rulesinvolves agent state transitions (a three-tuple of intruder knowledge, agent knowledge and agent process), and may specifyrestrictions on the system state (a mapping of agents to agent states).

non-synchronous events. The operational semantics for public and for anonymous send as well as read events is given bythe following rule.

(K I ,knwa, P )ev−−→ (K ′

I ,knw′a, P ′) ev ∈ Evnosync a @ (knwa, P ) ∈ S

(K I , S)ev−−→ (K ′

I , {a @ (knw′a, P ′)} ∪ S \ {a @ (knwa, P )})

untappable communications. As no agent, nor the intruder, except for the sending agent and the receiving agent, areaware of untappable communications, we model them as synchronous communication. This captures both untappable sendand receive in one transition. Hence, a new label for this transition is needed. We use uc(a,b, φ), which must match boththe send us(a,b, φ) and the receive ur(a,b, φ) events. Note that the intruder’s knowledge does not change due to untappablecommunications, nor does the sending agent’s knowledge.

(K I ,knwa, Pa)us(a,b,φ)−−−−−−→ (K I ,knwa, P ′

a)

(K I ,knwb, Pb)ur(a,b,φ)−−−−−−→ (K I ,knw′

b, P ′b)

s0 = {a @ (knwa, Pa),b @ (knwb, Pb)} s0 ⊆ S

(K I , S)uc(a,b,φ)−−−−−−→ (K I , {a @ (knwa, P ′

a),b @ (knw′b, P ′

b)} ∪ S \ s0)

phase synchronisation. Phase events denote synchronisation points. A ph(i) event may only occur if all authorities haveagreed that the election will evolve into a new phase. As a consequence, all agents who are ready and willing to do so willmove to the new phase as well.1

In the semantics rule below, the agents that are ready and willing to execute the phase transition are captured (togetherwith their states) in the set Phase. Note that Phase is a subset of all agents ready to execute a phase transition, as readi-

1 We conjecture that our semantics of phase synchronisation is similar to the strong phase semantics as proposed in [10].


Fig. 1. A labelled transition system.

ness does not imply willingness. The set Phase′ reflects the new states for these agents. Finally, we explicitly require eachauthority a ∈ Aut to be ready and willing to execute the phase transition.

i ∈ N

Phase ⊆ {a @ (knwa, Pa) ∈ S | ∃P ′a : (K I ,knwa, Pa)

ph(i)−−−→ (K I ,knwa, P ′a)}

Aut ⊆ {a ∈ Agents | ∃knwa, Pa : a @ (knwa, Pa) ∈ Phase}Phase′ = {a @ (knwa, P ′

a) | ∃Pa : a @ (knwa, Pa) ∈ Phase ∧ (K I ,knwa, Pa)ph(i)−−−→ (K I ,knwa, P ′

a)}(K I , S)

ph(i)−−−→ (K I ,Phase′ ∪ S \ Phase)

The above semantics rules give rise to labelled transition systems. Each possible execution of the system is representedby a path in this labelled transition system. A path is represented by a list of the path’s labels and is called a trace. The setof traces of a given voting system is defined as follows.

Definition 9 (Traces). The class of traces Traces consists of finite lists of labels. The traces of a voting system V S γ (votingsystem V S instantiated with choice function γ ) are given by

Tr(

V S γ) = {

α ∈ Labels� | α = α0 . . . αn−1 ∧ ∃s0, . . . , sn ∈ State : s0 = (K 0

I , V S γ) ∧ ∀0 � i < n : si

αi−−→ si+1}.

The set of traces of a voting system V S is now given by

Tr(V S) =⋃

γ ∈V →CTr

(V S γ

).

We denote the intruder knowledge in the last state of a trace t as K tI . The empty trace is denoted by ε .

Example (Traces). Consider the voting system V S 0 from Table 2, and a choice function γ1 such that γ1(v1) = γ1(v2) = c.Then we have the following.

ε ∈ Tr(V S γ10 )

s(v1, T , {{c}sk(v1)}pk(T )) ∈ Tr(V S γ10 )

s(v1, T , {{c}sk(v1)}pk(T )) s(v2, T , {{c}sk(v2)}pk(T ))∈ Tr(V S γ10 )

s(v1, T , {{c}sk(v1)}pk(T )) r(v1, T , {{c}sk(v1)}pk(T ))∈ Tr(V S γ10 )

. . .

If we denote the send event of voter v1 as s1, the send event of voter v2 as s2 and the corresponding read events ofthe tallyer as r1, r2, respectively, the labelled transition system for this voting system is as in Fig. 1. Its full set of traces issuccinctly described as

Tr(

V S γ10

) = {ε, s1, s2, s1s2, s2s1, s1r1, s1s2r1, s2s1r1, s1r1s2, s1s2r1r2, s1r1s2r2, s2s1r1r2}.

Traces model the dynamic behaviour of the system. The next section determines the privacy of a given voter in a giventrace. This is then extended to establish the privacy of a voter in a voting system.

4. Privacy in voting systems

The framework developed in the previous section enables us to express if an intruder can distinguish two executionsof the system, as previously expressed by Mauw, Verschuren and De Vink [18] and later by Garcia et al. [17] for passive


Table 3Example: reinterpretation of terms.

φ ρ(φ) ρ ′(φ)

n n′ n′′k k′ kc c c

{(c,n)}k {(c,n′)}k′ {c,n′′}k

sk(a) sk(a) sk(a)

intruders. Traces t, t′ are to be considered equivalent if the intruder cannot distinguish them. To formalise this equivalence,the distinguishing ability of the intruder is formalised as the intruder’s ability to distinguish two messages. We introducethe notion of reinterpretation to capture this.

Definition 10 (Reinterpretation [17]). Let ρ be a permutation on the set of terms Terms and let K I be a knowledge set. Themap ρ is a semi-reinterpretation under K I if it satisfies the following.

ρ(φ) = φ for φ ∈ C ∪ {a, sk(a),pk(a) | a ∈ Agents

}ρ((φ1, φ2)

) = (ρ(φ1),ρ(φ2)

)ρ({φ}k

) = {ρ(φ)

}ρ(k)

if K I φ,k ∨ K I {φ}k,k−1

Map ρ is a reinterpretation under K I iff it is a semi-reinterpretation and its inverse ρ−1 is a semi-reinterpretation underρ(K I ). The notion of reinterpretation is extended straightforwardly to events and to traces by applying ρ to the messagefields of events (in traces).

The notion of reinterpretation models the intruder’s ability to distinguish terms. The intruder can distinguish any candi-date and agent name from any other term. As public keys and private keys identify the agent, these too can be distinguishedfrom any other term. As the intruder does not know which nonces or (non-public/private) keys belong to which agents, hecannot distinguish these from other terms. Furthermore, the intruder can distinguish the structure of paired terms. En-crypted terms can only be distinguished if the intruder can decrypt the term or if he can construct the term himself. Notethat as the intruder cannot distinguish one key from another, ρ must be applied to the encryption key of any encryptedmessage that he can distinguish.

Example (Reinterpretation). In Table 3, we provide two permutations on terms ρ and ρ ′ that are reinterpretations fork,k′,n,n′,n′′ ∈ K I .

Some events in a trace are hidden from the intruder, hence the intruder has a restricted view of a trace. In particu-lar, the intruder cannot see any uc transitions (communications over untappable channels), nor the sender of anonymouscommunications. The visible part of a trace is captured by the function obstr : Traces → Traces as follows:

obstr(ε) = ε

obstr(� · t) ={

obstr(t) if � = uc(a,a′, φ)

as(x, φ) · obstr(t) if � = as(, x, φ)

� · obstr(t) otherwise

Definition 11 (Trace indistinguishability). Traces t, t′ are indistinguishable for the intruder, notation t ∼ t′ iff there exists areinterpretation ρ such that the visible part of t is the visible part of ρ(t′) and the final intruder knowledge in t and t′ isequal modulo ρ . Formally put:

t ∼ t′ ≡ ∃ρ : obstr(t′) = ρ(obstr(t)

) ∧ K tI = ρ

(K t′

I

).

The above definition of the intruder’s ability to distinguish traces extends to his ability to distinguish sets of traces asfollows.

Definition 12 (Choice indistinguishability). Given voting system V S , choice functions γ1, γ2 are indistinguishable to the in-truder, notation γ1 �V S γ2 iff

∀t ∈ Tr(

V S γ1)

:∃t′ ∈ Tr(

V S γ2)

: t ∼ t′ ∧∀t ∈ Tr

(V S γ2

):∃t′ ∈ Tr

(V S γ1

): t ∼ t′

The set of choice functions indistinguishable for the intruder in a given system is now succinctly defined as follows.


Fig. 2. Knowledge sharing, (i) pre- and post-election and (ii) mid-election.

Definition 13 (Choice group). The choice group for a voting system V S and a choice function γ is given by

cg(V S, γ ) = {γ ′ | γ �V S γ ′}.The choice group for a particular voter v , i.e. the set of candidates indistinguishable from v ’s chosen candidate, is given by

cgv(V S, γ ) = {γ ′(v) | γ ′ ∈ cg(V S, γ )

}.

In the last definition, the privacy of a voting system is defined with respect to an intruder who can control all com-munication channels except the untappable channels. The next chapter poses the question of how much of this remainingprivacy is controlled by the voter.

5. Conspiring voters

The above framework captures the behaviour of a passive voter, who does not actively cooperate with the intruder toprove how she has voted. However, as remarked in the introduction, we focus on voters trying to renounce their vote-privacy. A conspiring voter can try to share her knowledge with the intruder. The classic receipt-freeness case assumes thevoter shares her final knowledge. As noted in [12], the timing of knowledge sharing is important. In order to prove thatshe really has the receipt, the voter needs to share her private knowledge before it becomes public in the course of theexecution of the voting system. Furthermore, during the course of an election, a voter may learn or commit to knowledgethat the intruder is unaware of, by communicating over untappable channels. A voter may seek to circumvent the privacyprovisions of these channels by sharing knowledge received over such a channel with the intruder, and by using intruder-supplied information to send over such a channel. The timing of sharing information between the conspiring voter and theintruder hence is important.

We distinguish the cases where the voter shares her full knowledge (post-election or pre-election) from the cases wherethe voter conspires due to untappable channels (sharing information, using intruder-supplied information, or both). In ab-sence of untappable channels, all communications are visible to the intruder. In this case, the sooner a voter shares herknowledge with the intruder, the more traces the intruder can distinguish. Classical receipt-freeness, classic-rf, tries to breakvote-privacy by sharing knowledge after elections. However, sharing knowledge beforehand, start-rf, gives the intruder moreknowledge during the elections. This situation is depicted below in Fig. 2(i).

In presence of untappable channels, the intruder is not aware of every increase of the voter’s knowledge. The voter canmitigate this by conspiring mid-election. Her willingness to do so is captured in Fig. 2(ii). The conspiring voter may chooseto share information the intruder would not learn otherwise (rf-share) or use intruder-supplied terms in communicationshidden from the intruder (rf-witness) to later prove how she voted. The combination of these two notions is at the top ofthe ordering (rf-relay).

A voter may use privacy-reducing techniques from both hierarchies to reduce her privacy. We denote this, e.g., as atype 1a voter, or a type 2c voter. In the next section, we present precise definitions of these notions.

6. Modelling conspiratory behaviour

A conspiring voter behaves differently from a regular voter, as she will communicate with the intruder in certain cir-cumstances. We incorporate the different conspiracy classes into the framework as follows. We start by selecting a regularvoter and the conspiracy class that we assume her to satisfy. Then the regular specification of this voter is transformedinto a conspiring specification by following the transformation rules of this conspiracy class as defined below. For instance,the transformation for class 1 (classic-rf) consists of adding an extra event at the end of the voter’s specification whichrepresents the sharing of her knowledge with the intruder.


In order to formalise this approach, we extend the set of events Ev with events: {is(φ), ir(φ)}, where is(φ) denotes theagent sending term φ to the intruder, and ir(φ) denotes receiving term φ from the intruder. The agent level semantics ofthese events is given below:

send to intruder:knwv φ fv(φ) = ∅

(K I ,knwv , is(φ).P )is(φ)−−−→ (K I ∪ {φ},knwv , P )

receive from intruder:K I φ′ fv(φ′) = ∅ match(φ′, φ,σ ) Rd(knwv , φ)

(K I ,knwv , ir(φ).P )ir(φ′)−−−→ (K I ,knwv ∪ {φ′}, σ (P ))

The specific conspiracy classes are captured by a syntactical transformation of the process of the conspiring voter v asfollows:

• 1. classic-rf: at the end of her process, v sends her knowledge set to the intruder (knwv is represented as a pairing ofeach element of knwv ).

• 2. start-rf: as the first event executed by v , she sends her knowledge set to the intruder.• a. rf-share: each ur(a, v, φ) is followed by an is(φ).• b. rf-witness: The intruder supplies the voter-controllable parts of the term used in each us(v,a, φ). To do so, the

intruder must know what terms are voter-controllable. To this end, we introduce two functions:– a function vars(v, φ) that returns the variables of φ that agent v can control, and– a function freshvars(v, φ), that replaces every voter-controllable variable in φ by a fresh variable.The voter sends vars(v, φ) to the intruder, who replies with a similar term, changing the values to his liking. The voterthen uses the newly supplied values in the untappable send event.

• c. rf-full: this combines rf-share and rf-witness.

Note that where classic-rf and start-rf transform the ending and beginning, respectively, of voter v ’s process, the other threeconspiracy classes transform events inside the voter process. To model conspiracy, we first introduce an event transformationfunction θi , which relies on auxiliary functions vars and freshvars. Then, the event transformation function is then extendedto processes and to voting systems.

The function vars : V × Terms → Terms captures those variables of a term φ that are under a voter v ’s control. Thisfunction is defined as follows.

vars(v, φ) =

⎧⎪⎨⎪⎩

{φ} if φ ∈ Varsvars(v, φ′) if φ = {φ′}k, for k ∈ Keysvvars(v, φ1) ∪ vars(v, φ2) if φ = (φ1, φ2)

∅ otherwise

The function freshvars : V × Terms → Terms replaces every voter-controllable variable in φ by a fresh variable. To this end,we assume the existence of a substitution σfresh , where dom(σfresh) = vars(v, φ), that substitutes fresh variables for everyvoter-controlled variable. Note that some, but not all occurrences of a variable may be voter-controllable (e.g. var in theterm (var, {var}sk(Reg))). Hence, σfresh may only freshen those uses of variables that are under voter control, as follows.

freshvars(v, φ) =

⎧⎪⎨⎪⎩

σfresh(var) if φ ∈ Vars{freshvars(v, φ′)}k if φ = {φ′}k, for k ∈ Keysv(freshvars(v, φ1), freshvars(v, φ2)) if φ = (φ1, φ2)

φ otherwise

Definition 14 (Event transformation). The event transformation functions θi : V × Ev → Processes, for i a conspiracy class∈ {a,b, c}, are defined as follows.

– θa(v, ev) ={

ur(ag, v, φ) . is(φ) if ev = ur(ag, v, φ)

ev otherwise

– θb(v, ev) ={

is(vars(v, φ)) . ir(vars(v, φ′)) . us(v,ag, φ′) if ev = us(v,ag, φ), for φ′ = freshvars(v, φ)

ev otherwise

– θc(v, ev) = θb(v, θa(v, ev)).

We model sending of a set (for example, is(vars(v, φ))) as sending a pairing of all elements of the set (in this example,vars(v, φ)).

The event transformation θa ensures that every untappable receive event is followed by an intruder send event. The eventtransformation θb ensures that the intruder supplies all voter-controllable input for every untappable send event. The eventtransformation θc combines θa and θb .


Table 4Example: event transformation.

ev θa(ev) θb(ev)

ph(1) ph(1) ph(1)

ur(a,b, var) ur(a,b, var) . is(var) ur(a,b, var)us(a,b, (vc, {vc}sk(Reg))) us(a,b, (vc, {vc}sk(Reg))) is(vc) . ir(irvar) . us(a,b, (irvar, {vc}sk(Reg)))

Example (Event transformation). In Table 4, we show some examples of event rewrites. We leave out θc , as it is the compo-sition of θa and θb .

We model a conspiring voter, according to the conspiracy classification above, by means of a process transformationfunction. This function transforms the process by introducing conspiring behaviour.

Definition 15 (Process transformation). The process transformation function Θi : V × Processes → Processes transforms a pro-cess for a specific voter v into a conspiring process of the class i ∈ {1,2,a,b, c}. For i = 2, conspiracy is a matter of sharinginitial knowledge, which is modelled as

Θ2(v, P ) = is(knwv).P

In the other cases, conspiracy has an effect on the events of the processes. For readability, we do not distinguish cases fori = 1, but simply state θ1(v, ev) = ev. For i ∈ {1,a,b, c}, process transformation is defined as follows.

Θi(v, P ) =

⎧⎪⎪⎪⎪⎪⎪⎪⎨⎪⎪⎪⎪⎪⎪⎪⎩

δ if i = 1 ∧ P = δ

is(knwv ).δ if i = 1 ∧ P = δ

θi(v, ev).Θi(v, P ) if P = ev.PΘi(v, P1) + Θi(v, P2) if P = P1 + P2Θi(v, P1) � φ1 = φ2 � Θi(v, P2) if P = P1 � φ1 = φ2 � P2, for φ1, φ2 ∈ Termsθi(v, ev).Y (φ1, . . . , φn), for fresh Y (var1, . . . , varn) = Θi(v, P ′)

if P = X(φ1, . . . , φn) ∧ X(var1, . . . , varn) = P ′

Example (Process transformation). In the example process transformations below, s1 is the send action of voting system V S 0,in Table 2. The first two entries transform voter process 1 from V S 0. The final example illustrates how a more complexprocess is transformed.

P i Θi(v, P )

s1.δ 1 s1.is( (pk(T ), sk(v1)) ).δ

s1.δ 2 is( (pk(T ), sk(v1)) ).s1.δ

s1.δ + s2.δ ∈ {a,b, c} θi(v1, s1).δ + θi(v1, s2).δ

Process transformation is extended to voting systems as follows.

Θi(v, V S)(a) ={

V S(a) if a = v(π1(V S(v)),Θi(v,π2(V S(v)))) if a = v

The above transformations are extended to i ∈ {1a,2a,1b,2b,1c,2c} for combinations of conspiring behaviour, e.g.Θ1a(v, V S) = Θ1(v,Θa(v, V S)). Using the above system transformation, we can define the choice group for conspiringvoters in a voting system within our framework (see Section 4).

Definition 16 (Conspiracy induced choice group). The choice group of conspiring voter v in voting system V S given choicefunction γ , with respect to different conspiracy classes i ∈ {1,2,a,b, c,1a,2a,1b,2b,1c,2c}, is given by

cgiv(V S, γ ) = cgv

(Θi(v, V S), γ

).

Given this definition of privacy, conspiracy-resistance is a measure of the voter’s choice groups as follows.

Definition 17 (Conspiracy-resistance). We call voting system V S conspiracy-resistant for conspiring behaviour i ∈ {1,2,a,b, c}iff

∀v ∈ V , γ ∈ V → C : cgiv (V S, γ ) = cgv(V S, γ ).

Remark that for when |V | = 1 or |C| = 1, we have ∀γ : cg(V S, γ ) = {γ }, which implies that ∀v ∈ V : cgv(V S, γ ) =cgi

v (V S, γ ) = {γ (v)}. Thus, in such settings, there is not vote-privacy to lose, and conspiracy-resistance is satisfied trivially.


Fig. 3. A ThreeBallot in 3BS.

The notion of receipt-freeness as introduced by Benaloh and Tuinstra [1] coincides with ∀v, γ : |cg1v(V S, γ )| > 1. The

approach of Delaune, Kremer and Ryan [8,9] coincides with choice groups of size greater than one. Our framework capturesany modifier of privacy, including modifiers that are not privacy-nullifying. The amount of conspiracy-resistance of a systemis measured as the difference in privacy between a regular voter and a conspiring voter. The above privacy definitionscapture this by determining the exact choice group and thus the exact voter privacy for any level of conspiracy.

7. Examples

The above presented framework is designed to provide a formal and quantitative analysis. However, a full analysis ofan existing voting system goes beyond the scope of this paper. Therefore, this section only illustrates application of theframework at a high level. For this purpose, models of the FOO [14] system and the ThreeBallot system (3BS, [23]) areexamined.

7.1. FOO

The FOO protocol has been studied in literature and is known to have receipts [12,13]. FOO does not use untappablechannels, thus there are no conspiring voters of type a,b, c. The only possibility for a voter to conspire is by sharingknowledge as in Fig. 2(i). A conspiring voter of type 1 already nullifies her privacy – ∀v, γ : |cg1

v(FOO, γ )| = 1. This isbecause the keys used to encrypt her preferred candidate are shared with the intruder. Thus, the intruder can open theseencryptions and can see how the voter voted. As such, any reinterpretation of the voter’s message carrying her vote isimpossible.

7.2. 3BS

In 3BS, a vote is split over three single ballots (see Fig. 3), which together form one ThreeBallot. Each ballot carries aunique identifier. Upon voting, the three ballots are cast and the voter takes home a receipt (certified copy) of one ballot.The copy allows the voter to verify that her ThreeBallot is actually cast. To vote for a candidate, a voter ticks two boxes inthe row of that candidate; every other candidate-row only receives one tick mark. The voter is free to place the ticks in anycolumn, as long as there is one row with two ticked boxes (her choice) and all other rows have one ticked box. Given thespecific way of voting in 3BS, only a limited subset of the cast ballots can form a valid ThreeBallot with a given receipt (tobe more precise, only those ballots combined with the receipt such that there is only one row with two tick marks). Forexample, consider a receipt with a tick mark for every candidate. This can only be matched with one entirely blank ballot,and one ballot containing precisely one tick mark.

An obvious attack (already pointed out by the designer in [24]) is to agree a priori with the intruder on how to fill inthe ballots (captured by class b conspiracy). The intruder can then easily verify if all three ballots are cast. This reducesprivacy more strongly than a voter merely showing her receipt after the elections (class 1 conspiracy). This, in turn, givesless privacy than not showing the receipt: cgb

v (3BS, γ ) ⊆ cg1v(3BS, γ ) ⊆ cgv(3BS, γ ).

As pointed out in [23], 3BS can also be used in elections where voters are allowed to vote for multiple candidates. In thiscase, a ThreeBallot may contain multiple rows with two tick marks. This means that the number of ballots forming a validThreeBallot with a given receipt is increased. As the number of valid combinations directly affects privacy, voter privacy isimproved. In the framework, this improvement is precisely captured by the size of choice groups.

8. Discussion

In the previous section, we have shown that our framework is able to quantify privacy loss in 3BS, where the receiptof a voter reduces the size of her choice group, but not necessarily to one. This kind of attack cannot be analysed byother formal approaches as discussed in Section 1. Moreover, our framework can capture previously established privacynullification attacks as well as a new class of privacy reduction attacks.

An example of such new attacks is the not-voted-for attack, where the intruder does not want the voter to vote for aspecific candidate, say c1. In this case, the voter’s privacy need not be nullified. This is conspiracy-dependent if the intrudercan rule out the possibility of the voter having voted c1 only because of voter conspiracy. In terms of the framework, the


intruder gains sufficient information to coerce voter v if ∀γ : c1 /∈ cgv(Θ2c(v, V S), γ ). Furthermore, the attack relies onvoter v ’s cooperation if (the intruder gains enough information and) ∀γ : c1 ∈ cgv(V S, γ ).

A similar new type of attack manifests itself in Dutch national elections. In these elections, the candidates providedby the system are individuals, and every candidate is affiliated with precisely one party. Although voters cannot vote forparties directly, the common view of the election is that of voters voting for parties. In this setting, privacy of a voter shouldnot merely encompass the chosen candidate, but also the affiliated party. Thus, even if ∀γ : |cgv(Θ2c(v, V S), γ )| > 1 for aspecific voter v , the intruder may still be able to determine for which party v voted, and thus coerce the voter.

Another example is related to coalitions between the intruder and several successfully conspiring voters. Based on thefinal result of the election and the known votes of these voters, the intruder can further reduce the privacy of honestvoters. A simple example of such a scenario is when a conspiring voter cast the only vote for a particular candidate, thenthe intruder additionally learns that no other voter voted for that candidate.

Finally, the result of an election provides a bias for a voter’s choice – the probability of a voter having voted for thewinner is higher than the probability of a voter having voted for a losing candidate. Our framework makes it possible toaccount for such information bias.

The rest of this section discusses how the privacy definitions of the framework relate to the notions of receipt-freenessand coercion-resistance.

8.1. Receipt-freeness

Receipt-freeness, as introduced by Benaloh and Tuinstra [1], captures ways for a voter to reduce the privacy of how shevoted. The framework captures receipt-freeness by specifying the desired class of conspiring behaviour. From the hierarchyin Fig. 2, we conclude that conspiring behaviour of type 2c models the most conspiring behaviour in the system. Anyknowledge possessed by the voter is shared as soon as possible with the intruder. Nevertheless, this does not preclude 2c-conspiracy-resistant voting systems. For example, designated verifier proofs still force privacy on the voter, as the intruderhas no way to determine if a designated verifier proof forwarded by the voter is fake or not.

8.2. Coercion-resistance

Coercion-resistance, as introduced by Juels, Catalano and Jakobsson [2], captures ways for a voter to reduce the privacyof how she interacts with the voting system. There is confusion in literature about the difference between the notions ofcoercion-resistance and receipt-freeness, and with good cause: if the voter can prove how she voted, the coercer can forceher to produce this proof. Conversely, if there is no such proof, the coercer cannot force this proof. Thus, the susceptibilityof a voter to be forced to vote in a specific way is equivalent to her ability to prove that she voted in that specific way.Succinctly put:

Proving ability = coercion susceptibility.

The notion of coercion-resistance as introduced by Juels et al. extends beyond reducing privacy of the vote. In their view,coercion-resistance encompasses the following:

• receipt-freeness: the voter proves how she voted to the intruder.• forced abstention: the intruder prevents the voter from voting.• simulation attacks: the voter gives her private keys to the intruder, who votes in her stead.• forced random voting: the intruder forces the voter to vote for a random entry in a list of encrypted candidates. Note

that the intruder does not need to know which candidate is chosen, as long as it is a random choice. This attack(if applied to many voters) forces a more uniform distribution of votes instead of the actual distribution of votes. Sucha strategy benefits candidates with less than average votes at the cost of harming candidates with more than averagevotes.

Receipt-freeness is captured by the framework, as explained above. To capture forced abstention, we extend the range of γwith an “abstention” candidate ⊥. This candidate embodies all votes, that do not affect the result (we do not distinguishbetween abstention and malformed voting). The extended set is referred to as C⊥ . Using these extensions, the intruder canforce voter v with conspiring behaviour i to abstain, iff

cgiv(V S, γ ) = {⊥}.

In a simulation attack, the intruder casts a vote himself. Simulation attacks are resisted if the intruder cannot tell if thevote he cast affects the result or not. While the type of voter behaviour necessary for a simulation attack is modelled by theframework (type 2 behaviour), intruder voting is not. However, if we extend the domain of γ to include the intruder int.The extended set is referred to as Vint . The choice group of the intruder then captures the intruder’s unsureness about hisown vote. Hence, a system is simulation-resistant if the intruder cannot tell whether his vote is counted or not, i.e.{⊥, γ (int)

} ⊆ cgint(V S, γ ).


In forced random voting attacks, the intruder forces the voter to vote randomly. This means that whenever the votercan make a choice, either conditionally or non-deterministically, the intruder forces his choice on the voter. This can beexpressed in terms of the framework by rewriting every process P that denotes a choice. Let �rnd be a process transforma-tion function for forcing choices. Then we have, for any process P such that P = P1 + P2 and for any process P such thatP = P1 � φ1 = φ2 � P2,

�rnd(P ) = ir(var).�rnd(P1) � var = true � �rnd(P2),

where var is a fresh variable and true is a constant term ∈ Terms.Thus, coercion attacks can be captured in the framework as well. However, we keep these latter attacks separate, as

these attacks are fundamentally different from the privacy-reducing conspiratory model.

9. Conclusions

We have developed a framework to precisely measure voter-controlled privacy, with respect to different ways how onevoter can share her knowledge with the intruder. This quantitative framework is based on knowledge reasoning and traceequivalences. It allows us to capture the exact meaning of receipt-freeness in the context of vote buying, and to detectattacks that have escaped the focus of published methods in the literature as well.

We intend to apply the framework in full detail to several voting systems. Our quantitative approach to privacy in votingwill, we believe, uncover previously unidentified attacks. We are also interested in modelling authorities conspiring withthe intruder (an extension from conspiring voters), and in investigating the potential effects of various counting methods onprivacy loss.

References

[1] J. Benaloh, D. Tuinstra, Receipt-free secret ballot elections (extended abstract), in: Proc. 26th ACM Symposium on the Theory of Computing, ACM, 1994,pp. 544–553.

[2] A. Juels, D. Catalano, M. Jakobsson, Coercion-resistant electronic elections, in: Proc. 4th ACM Workshop on Privacy in the Electronic Society, ACM, 2005,pp. 61–70.

[3] T. Okamoto, An electronic voting scheme, in: Proc. 14th IFIP World Computer Congress, Conference on IT Tools, 1996, pp. 21–30.[4] B. Lee, K. Kim, Receipt-free electronic voting through collaboration of voter and honest verifier, in: Proc. Japan–Korea Joint Workshop on Information

Security and Cryptology, 2000, pp. 101–108.[5] M. Hirt, K. Sako, Efficient receipt-free voting based on homomorphic encryption, in: Proc. 19th Conference on the Theory and Application of Crypto-

graphic Techniques, in: Lecture Notes in Comput. Sci., vol. 1807, Springer, 2000, pp. 539–556.[6] M. Hirt, Multi-party computation: Efficient protocols, general adversaries, and voting, Ph.D. thesis, ETH Zurich, 2001.[7] B. Lee, K. Kim, Receipt-free electronic voting with a tamper-resistant randomizer, in: Proc. 4th Conference on Information and Communications Security,

in: Lecture Notes in Comput. Sci., vol. 2513, Springer, 2002, pp. 389–406.[8] S. Delaune, S. Kremer, M. Ryan, Coercion-resistance and receipt-freeness in electronic voting, in: Proc. 19th IEEE Computer Security Foundations Work-

shop, IEEE Computer Society, 2006, pp. 28–42.[9] S. Delaune, S. Kremer, M. Ryan, Verifying privacy-type properties of electronic voting protocols, J. Comput. Secur., in press.

[10] S. Delaune, M. Ryan, B. Smyth, Automatic verification of privacy properties in the applied pi-calculus, in: Proc. 2nd Joint iTrust and PST Conferences onPrivacy, Trust Management and Security, in: IFIP Conf. Proc., vol. 263, Springer, 2008, pp. 263–278.

[11] M. Backes, C. Hritcu, M. Maffei, Automated verification of remote electronic voting protocols in the applied pi-calculus, in: Proc. 21st IEEE ComputerSecurity Foundations Symposium, IEEE Computer Society, 2008, pp. 195–209.

[12] H. Jonker, E. de Vink, Formalising receipt-freeness, in: Proc. 9th Conference on Information Security, in: Lecture Notes in Comput. Sci., vol. 3444,Springer, 2006, pp. 476–488.

[13] A. Baskar, R. Ramanujam, S. Suresh, Knowledge-based modelling of voting protocols, in: Proc. 11th Conference on Theoretical Aspects of Rationalityand Knowledge, ACM, 2007, pp. 62–71.

[14] A. Fujioka, T. Okamoto, K. Ohta, A practical secret voting scheme for large scale elections, in: Proc. 3rd Workshop on the Theory and Application ofCryptographic Techniques, in: Lecture Notes in Comput. Sci., vol. 718, Springer, 1992, pp. 244–251.

[15] T. Okamoto, Receipt-free electronic voting schemes for large scale elections, in: Proc. 5th Workshop on Security Protocols, in: Lecture Notes in Comput.Sci., vol. 1361, Springer, 1997, pp. 25–35.

[16] R. Aditya, B. Lee, C. Boyd, E. Dawson, An efficient mixnet-based voting scheme providing receipt-freeness, in: Proc. 1st Conference on Trust and Privacyin Digital Business, in: Lecture Notes in Comput. Sci., vol. 3184, Springer, 2004, pp. 152–161.

[17] F. Garcia, I. Hasuo, W. Pieters, P. van Rossum, Provable anonymity, in: Proc. 3rd ACM Workshop on Formal Methods in Security Engineering, ACM, 2005,pp. 63–72.

[18] S. Mauw, J. Verschuren, E. de Vink, A formalization of anonymity and onion routing, in: Proc. 9th European Symposium on Research Computer Security,in: Lecture Notes in Comput. Sci., vol. 3193, Springer, 2004, pp. 109–124.

[19] T. Chothia, S. Orzan, J. Pang, M. Torabi Dashti, A framework for automatically checking anonymity with μCRL, in: Proc. 2nd Symposium on TrustworthyGlobal Computing, in: Lecture Notes in Comput. Sci., vol. 4661, Springer, 2007, pp. 301–318.

[20] D. Dolev, A. Yao, On the security of public key protocols, IEEE Trans. Inform. Theory 29 (12) (1983) 198–208.[21] L. Aceto, W. Fokkink, C. Verhoef, Structural operational semantics, in: Handbook of Process Algebra, Elsevier, 2001, pp. 197–292.[22] C. Cremers, Scyther – Semantics and verification of security protocols, Ph.D. thesis, Eindhoven University of Technology, 2006.[23] R. Rivest, W. Smith, Three voting protocols: ThreeBallot, VAV, and Twin, in: Proc. 2007 USENIX/ACCURATE Electronic Voting Technology Workshop,

USENIX, 2007.[24] R. Rivest, The ThreeBallot voting system, unpublished manuscript, 2006.

a formal framework for quantifying voter-controlled privacy

Documents